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0 Electronic transaction system. 



0 An electronic transaction in which in order to 
improve a reliability of message certification by digi- 
tal signature and enable the use of the digital signa- 
ture in a formal transaction in place of conventional 
signature or seal, the following procedures are im- 
plemented utilizing the fact that, in a public key 
Cjl cryptograph system represented by an RSA system, 
^a first encoded message derived by encoding a first 
decoded message by using a public key of a first 
O transacting party is equal to a secofKl encoded mes- 
^sage derived by encoding a second decoded mes- 
^sage by using a public key of a second transacting 
IF- party: a) Check sender/receiver; b) Add cent nt cer- 
^tification function c) Double check th person by th 
O possession of a secret key and the response by a 
^ terminal: d) Add a time limit to an effectiv period of 
Ujan electronic seal; e) Add a grace period to the 
electronic seal; and f) Send back a tally impression 
from the receiver to the sender. 
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\ ELECTRONIC TRANSACTION SYSTEM 



BACKGROUND OF THE INVENTION 

The present Invention relates to an electronic 
transaction and more particularly to an electronic 
transaction system which electronically effects 
commercial transactions by computer documents 
instead of conventional documents. 

In the past, contracts are authenticated or vali- 
dated by signatures or seals. Where data are trans- 
mitted through a communication like electronic 
transaction between two parties having interests to 
each other, even if the signature and seal data are 
converted to digital signals for transmission, they 
may be easily copied and hence they cannot be 
used for authenticity. Accordingly, the authenticity 
of the message by digital signature which* cor- 
responds to the nomial signature, and seal is re- 
quired. In order for the message authenticity to t>e 
effective as formal transaction in place of the signa- 
ture or seal, the following four conditions should be 
met 

(a) Only the transmitter can prepare a signed 
message such as a contract It cannot be forged by 
a third person. 

(b) The receiver cannot alter the signed 
message. 

(c) The transmitter cannot later deny the fact 
of transmission. 

(d) The receiver cannot later deny the fact of 
reception. 

The following methods have t>een proposed to 
achieve the digital signature. 

(1) Digital signature which uses conventional 
cryptograph 

(2) Digital signature which uses public key 
cryptograph 

(3) Digital signature by hybrid system 
Characteristics and problems of those three 

methods are described below. 



(1) Digital signature which uses conventional 
crystograph 

Many digital signature methods which use the 
DES (data encryption standard) system crypto- 
graph have been proposed but notarization is re- 
quired or the receiver can alter the signed mes- 
sage k)ecause the transmitting station and the re- 
ceiving station, have a common authenticity key. 
Accordingly, no practical signature system has 
been known. 



(2) Digital signature which us^s public key cryp- 
tograph 

The digital signature can be relativ ly easily 
5 attained by using the public key cryptograph sys- 
tem represented by an RSA (Rivest-Shamir-Ald- 
leman) algorithm. 

Fig. 1 shows a chart of a prior art digital 
signature by the public key cryptograph. 
70 In a step 101, a message M from a sender A is 

inputted. 

In a step 102. a decoded message D (M, SKa) 
is produced by decoding (deciphering) the m s- 
sage M by a secret key SKa of the send r A. 

75 In a step 103. the decoded message D (M, 
SKa) is further encoded (enciphered) by a public 
key PKb of a receiver B to produce a cryptograph 
message L « E (D (M, SKa), PKb), which is sent to 
the receiver B. 

20 In a step 104, the data L is received by the 
receiver B is decoded by the secret key SKe of ttie 
receiver B to produce D (M, SKa). 

In a step 105, the decoded message D (M, 
SKa) is endoded by the public key PKa of the 

25 sender A to produce the original message M. 

In a step 106. the message M is supplied to 
the receiver B as an output data. 

In the present fk>w chart, the cryptograph mes- 
sage M cannot be decoded in the step 104 unless 

30 the secret key SKe is knowm. Only the receiver B 
knows SKe. In the step 102; only the sender A who 
knows the secret key SKa can produce D (M, SKa). 
Accordingly, it is assumed that it is A that has sertt 
the message M and it is B that has received the 

35 message. 

When the message M is not a conv ntional 
sentence but random data, it is difficult to det r- 
mine whetfier M is proper or not As an approach 
thereto, an identifier of the serujer, and identifier of 

40 the receiver, a serial number of the message and a 
date may be sent together with the message. In 
this case, an unauthorized act such as copying the 
signed message for repetitive transmission is pre- 
vented. 

46 However, in the RSA system, the encoding and 
decoding time is long because of complex opera- 
tion and a time-consumirtg problem will arise wh n 
the message is long. 



50 



(3) Digital signatur by hybrid system 

This system utilizes the advantages of the DES 
cryptograph system and the RSA cryptograph sys- 
tem in a well-mixed manner. 
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In this system, the conventional (ordinary) mes- 
sage is sent by the DES cryptograph communica- 
tion and the transmission of the l( y and the au- 
thenticity .utilize the RSA system. Th message to 
be authenticated (validated) is first compression- 5 
decoded by tiie DES system to determine Hash 
Total. Rg. 2A shows a process therefor. In Rg. 2- 
(a), the following steps are carried out 



Step 1: 

Rrst 64 bits of an input message I are defined 
as I,. The I, is encoded by an encoder 21 by using 
a cryptograph key K. The encoded result is defined 75 
as O,. 

Er (I,) - O. 

The 64 bits of an input message subsequent to first 20 
64(i-1) bits are defined as l|. 



Step 2: 

Next 84 bits of the input message which follow 
to l| are defined as h 4.1. An exclusive OR circuit 22 
exclusively ORs I 1^1 and 0| and an output thereof 
is encoded by tiie encoder 21 by using the key K. 

Ek(lKi + Oi)-*0|+i 



Step 3: 

35 

If I < n-1, I is incremented by one and the 
process returns to the step 2. If not i < n-1, Oi+i = 
On is outputted and the process is terminated. The 
RSA system digital signature is made only to the 
data having the finally produced cryptograph block 4o 
(Hash total) On and data infonmation added thereto. 

In this system, even the digital signature to the 
long message can be processed in a short time. 

The- above systems do not meet the above- 
mentioned condition (c) of tiie digital signature, that 45 
is. "the sender cannot later deny the fact of trans- 
mission". In the system which uses either the con- 
ventional cryptograph or the public key crypto- 
graph, if the sender falsely insists that ttie secret * 
key has been stolen and someone has prepared so 
data without autiiorization, it is difficult to determine 
whether it is true or not 

If the secret key has been actually stolen, it 
tums out tiiat all messages signed before are un- 
creditable. Accordingly, in the digital signature, 55 
there is a severe requirement that the secret key 
must be absolutely protected. 



As described above, the- condition (c) is not 
met so long as the signatures are made by only 
the two persons, the sender and the receiver. 

It has been proposed to meet the condition (c). 
by communicating through a reliable autii ntication 
(notary) organization. Rg. 3 illustrates a principle 
thereof. 

In Rg. 3, a sender 34 sends a data consisting 
of message and signature to an authentication or- 
ganization 31. The authentication organization 31 
adds date information to the received data 35 to 
prepare data 32, which is sent to a receiver 33 and 
also recorded in a log 37. The sender 34 cannot 
later deny his message because th record is 
logged in the log 37 of the authentication organiza- 
tion 31 . In this case, the sender may insist that the 
secret key has been stolen and someone has 
forged the message. Such insistence can be pre- 
vented by sending the same data 36 as the data 32 
back to the sender 34 for confirmation. 

Other problems are who the authentication or- 
ganization should be and a large volume of mes- 
sage to be recorded. 

As a modification of (3), a method for determin- 
ing a Hash total by data compression encoding by 
DES in the hybrid digital signature is explained with 
reference to Rg. 4. 

In Rg. 4, the following steps are carried out 



Step 210: 

An input message M Is divided into n 56-bit 
bkx:ks Ml, M2. Mn 

M * Ml, M2,«M Mn 



Step 202: 

A parity bit is added to every seven bits of Mi - 
(I =s i, 2, ••• n) to produce IC (i = 1,2. ••• n). 



Step 203: 

The following step is repeated for j s 1,2, 

n. 

I(i-1) is encoded by using K| as a cryptograph key, 
and the encoded result and l(j-1) are exclusively 
ORed to produce l(j). 

lG)-l(hi) Ejq(iQ-i)) 

where l(o) is an initial value. 
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Step 204: 

H(M) « l(n) • 

Digital signature by the RSA system is made to 
the resuiting cryptograph bkx:k compression en- 
coded message H(M). 

Referring to Fig. 2B, a method of digital signa- 
ture by the hybrid system is explained. 

A sender 301 calculates a short character 
string H(M) from a message M 302 by the data 
compression encoding, produces a digital signature 
E (H(M) , S ic) 306 by an encoder 305 by using a 
secret key Sk 304 and sends it to a receiver 307. In 
order for the receiver 307 to recognize that the 
message 302 and the digital signature 306 are true 
and valid, the receiver 307 decodes the digital 
signature E (H(M) , S^) 306 by a decoder 309 to 
produce the original character string H(M) • 310, 
and calculates a character string H(M) "311 from 
the message 302 in the same manner as the 
sender 301 did. Both are compared by a compara- 
tor 312 and if they are equal, the message 302 is 
true and valid so long as the receiver kselieves that 
the sender 301 is a sole owner of the secret key Sh 
304. 

In this method, the digital signature to a long 
message can be processed in a short time, but this 
method does not meet the condition (d) (the re- 
ceiver cannot later deny the fact of reception). K 
the receiver later denies the fact of reception, the 
sender has no evidence to deny it. 



SUMMARY OF THE INVENTION 

It is an object of the present invention to pro- 
vide an electronic transaction which eliminates the 
disadvantages in the digital signature encountered 
in the prior art system, realizes a function of an 
authentication organization, reduces the quantity of 
rr>essage to be recorded concerning such as the 
content of a contract and meets the following con- 
ditions. 

(1) Only , a sender can prepare a signed 
message. It cannot be forged by a third party. 

(2) A receiver cannot alter the signed mes- 
sage. 

(3) The sender and receiver cannot later 
deny the facts of transmission and reception, re- 
spectively. 

In order to achieve the above object one fea- 
ture of the present invention includes the. following 



(m Sender and receiver are checked. 

® Content certificate function is added. 

® The s nder or receiver is double- 
checked by th poss ssion of a secret key and a 
terminal response. 
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(±) 

A time limit to an effective period for an 
eiecti^nic seal is set 

(E> A grace period is added to the electronic 
seal. _ • 

® A tally impression is sent from ttie re- 
ceiver back to tile sender. 



BRIEF DESCRIPTION OF THE DRAWINGS 



Rg. 1 is a flow chart of a prior art digital 
signature procedure which uses a public key cryp- 
tograph system. 

Figs. 2A, 2B and 4 show principles of known 
75 data compression cryptograph, 

Rg. 3 shows a prior art digital signature 
system which uses an authentication organization. 

Rg. 5 shows a first system configuration of 
an electronic transaction system to which the 
20 present invention is applied. 

Rg. 6 shows a flow chart of a procedure in a 
first embodiment of the present invention. 

Rg. 7 shows a ftow chart of a procedure in a 
second embodiment of the present invention. 
25 Rg. 8 shows a flow chart of a procedur in a 

third embodiment of the present Invention, 

Rg. 9 shows a secon.d system configuration 
of the electronic transaction system to which the 
present inverttion is applied. 
30 Rg. 10 shows a flow chart of a procedur of 

a fourth embodiment of the present invention. 

Rg. 1 1 shows a third system configuration of 
the electitmtc transaction system to which the 
present inverrtion is applied, and 
35 Rg. 12 shows a flow chart of a procedure in 

a fifth embodiment of the present invention. 



DESCRIPTION OF THE PREFERRED EMBODI- 
40 MENTS 

In order to facilitate the understanding of the 
present invention, the contents of the above items 
® ^® explained in detail. 

Q Confinmation of sender and receiver 



In the following description, the sender of th 
transaction message is referred to as a sign r and 
the receiver is referred to as a certifier. 

Two sets of public key and secret k y in the 
public key cryptograph syst m are prepared. They 
are (public key^ secret key) : (PKs, SKs) and (PK«. 
55 SKr), where SK s is owned only by the signer and 
SKr is owned only by ttie certifier, and PKs and 
PKr are copied to all concerned. 
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Assuming that a message M consists of m 
binary bits, the following is met in the public key 
cryptograph system. 

M - E (D(M, SKs). PKs 6 

« E(D(M,SKft,PKR...-.(1) 

where D f , K) Is a message decoded from a 
message * by a key K, and E f , K) is a cryptograph io 
encoded from the message • by the key K. The 
same message is supplied to the signer and the 
certifier, who decode it by their own secret keys 
and the decoded results D (M, SKs) and D (M. 
SKr) are disclosed to the persons concerned, who 75 
encode D (M, SKs) and D (M, SKr) by using the 
signer's and certifier's public keys PKs and PK r ' 
which the persons concerned possess. The per-' 
sons concerned can confirm that the formula (1) is 
met if the signer and the certifier properly used 20 
their secret keys. If the formula (1) is not met. the 
persons concerned may determine that the secret 
key of the signer or the certifier is not valid. 

For example, if the signer forges the signed 

message by using a false secret key SKs'{ * SKs ) as 

• 

E (D(M, SKs') PKs) * E (D(M, SKs) , PKs) 

E (D(M, SKs') PKs * E (D(M. SKr) , PKr) .....(2) 30 

Thus, the persons concerned may determine that 
the secret key used by the signer or the certifier is 
an unauthorized one. 

ft is very rare that the formula (1) is met In 35 
spite of the fact that the signer or the certifier 
forged the signed message by using the false 
secret key, t)ecause, assuming that the length of 
the message M is 200 bits, a prot>abII{ty that the 
formula (1) is met by the false secret key S is 1^** 40 
6 X 10-*\ which is negligibly small. 

It Is difficult for a third p)erson to steal the 
secret key of tiie signer or certifier and transact as 
If he were the signer or certifier, t)ecause tiie true 
signer and certifier, who are also the persons con- 4S 
cerned, can detect a third person who transacts in 
place of the.signer or certifier once the D (M, SKs) 
or D (M, SKr) is disclosed. 

Where the key K for D C. K) is kept in secret, it 
is difficult for a third person who Is unaware of the so 
secret key K to forge a key K" for the message M 
to meet D (M, K) = D (M. K"). 

The D (M, K) thus prepared is hereinafter re- 
ferred to as an electronic seal by the owner of the 
secret key K, and the message M for certifying the ss 
validity or autiienticity of th electronic seal is 
referred to as certificate data. If a person who - 
received the electronic seal has a corresponding 



public key, he/she can cietect who, prepared the 
electronic seal and the content of the message. 
However, other person than th owner of the secret 
key K cannot produce the electronic seal D (M, K) 
based on the certificate data M. The same certify 
icate data is decoded by the signer and certifier by 
their respective secret keys and the decoded re- 
sults D (M, SK s) and D (M, SKr) are xchanged 
between both. The certifier can confirm that the 
sender of D (M, SKs) Is the signer himself if the 
certifier can get M in accordance with the formula - 
(1) by encoding D (M, SKs) by the public key PKs 
of the signer. The signer can also confirm that the 
sender pf D (M, SKr) is the certifier himself if the 
signer can get M in accordance with the formula - 
(1) by encoding D (M, SKr) by the public key PKr 
of the certifier. When the persons concerned are 
presented with D (M, SKs) and D (1^, SKr) from the 
signer or certifier, they encode D (M. SKs) and D - 
(M, SKr) by using the public key PKs of the signer 
and the public key PKr ^ of the certifi r. The per- 
sons concemed can determine whether the secret 
key used is authorized one or not by chiecking if 
the formula (1) is met or not 

Addition of content certificate function 

In order to certify the content .of the trans 
mitted data, a message I is data compression en^ 
coded (Rg. 2) by using the key K. High order m 
bits of the finally produced block On is used as a 
Hash total (I, K) for the message I.- 

Assuming that m=64 and different messages I 
and r are data compression encoded, a probability 
of 

C {l\ K) = C (I. K)..-.. (3) 

is 1/2" ^ 5 X 10-'*'. which is almost null. 

When the signer sends a messag , he/she 
data-compression-encodes it and opens the Hash 
total (data compression encoded message) to the 
persons concemed. The signer and certifier keep 
the originals of the message. Thus, if an issue later 
occurs on the original, the original may be again 
data-compression-encoded to check whether it 
matches to the initial original. 

The message I may be used as an encoding 
key in an encoding system for certifying the con- 
tent A predetenmined input data 10 is encoded by 
the encoding key to produce a Hash total C (10, 1). 
In the present encoding system', it is difficult to 
determine tiie encoding key I from the input data 10 
and the output data C (10. 1) which l30th have been 
received. 
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Assuming that the length of the output data is 
64 bits and dif rent messag s I and J' are used as 
the encoding key, a probability of 

C (10. V) = C (10. 1) (4) 

is 1/2* 5 X 10-**, which is almost null. 

The C (10. I) is inserted in the certificate data 
at a predetermined posilion so that C (10. I) is 
reproduced from the certificate data. When the 
signer, certifier or person concerned gets the mes- 
sage V and C (lO. 1), he/she first encodes the data 
lO by using the message I* as a key. and then 
compares the encoded result or Hash total C (10, 
V) with C (lO, I). If they are equal, it means that the 
given message V is equal to the original message I, 
and If they are not equal, it means that the given 
message I* is not equal to the original data I. 

d) Double check of the signer and certifier by the 
possession of the secret key and the terminal re- 
sponse 

The transaction procedure is established such 
that the signer and certifier respond to the call from 
the partner before they inputs their own secret 
keys. Thus, if the secret key is stolen by a third 
person, who intends to involve in the electronic 
transaction, at. least one call is made by the signer 
or certifier tDefore the transaction is executed. Ac- 
cordingly, the signer or certifier can detect the third 
person's involvement. 

Addition of time limit of effective period of 
electronic seal 

When the signer and certifier make their elec- 
tronic seals and tally impressions, they add dates 
which indicate the effective period of the electronic 
seals and tally impressions. This indicates to the 
transaction partner who received the electronic seal 
and tally impression a due date to respond, and 
declares that the transaction will be terminated and 
the electronic seal and tally impression so far ex- 
changed will become ineffective unless response is 
received by the due date. If the signer or certifier 
does not receive the response to the electronic 
seal and tally impression he/she sent, he/she in- 
forms It to the^ authentication organization together 
with the electronic seal and tally impression so that 
the electronic seal and tally impression are invali- 
dated. Thus, if the signer or certifier Int ntionally 
attempts to delay the execution of th transaction 
by non-returning the response, the authentication 
organization autiienticates that the electronic seal 
and tally impression so far exchanged are invalid 



and the transaction has been terminated. Accord- 
ingly, safety in the transaction procedure is as- 
sured.^ 

5 

(s) Addition of grace period for electronic seal 

When the signer or certifier prepares his/h r 
electronic seal and tally impression, he/sh adds a 

TO grace period date for the electronic seal and tally 
impression at a predetermined position on the cer- 
tificate data. This means to Indicate' to th partner 
of transaction who received the electronic seal and 
tally impression a grace period during which the 

rs partner is permitted to terminate the transaction. 
Before or during the grace period, the partner can 
terminate the transaction and declare that the elec- 
tronic seal and tally impression so far xchanged 
are invalid. Thus, if the signer or certifier finds any 

20 defect In the transaction or finds that tii electronic 
seal or tally impression received from th partner is 
unauthorized "one. after the signer or certifier has 
sent the electronic seal and tally impression, 
he/she informs it to the authentication organization 

25 together with the electronic seal and tally impres- 
sion so tiiat the electronic seal and tally impression 
are invalidated. Thus, if an InvalkJ transaction is 
made or if an opposition is lodged to th received 
electronic seal or tally impresskxi, ttie authentica- 

30 tion organization will authenticate that th lectronic 
seal and tally Impression so far exchanged are 
invalid and the transaction has been terminated. 
Accordingly, safety in the transaction procedure is 
assured. 

35 

Transmission of tally Impression from certifier 
to signer 

40 When the certifier receives the m ssage M 
from the signer and confirms the content of th 
message M and agrees to the transaction, he/she 
prepares Hash totals h. « H, (M) and h, » H, (M) 
for a predetermined data 10. and combines high 

4$ order bit sequence h, with a time data T to produce 
a tally impression certificate data (T, h,). The tally 
impression certificate data is decoded by th se- 
cret key SKr of the certifier to prepare an elec- 
tronic tally impression D ((T, h,) , SK r), which is 

60 sent to the signer as a response of agreement to 
the transaction by the message M. The sign r 
encodes the electronic tally impression (D {(T. h,). 
SKa) by the public key PKr of the certifier to 
produce the original tally impression certificate data 

55 E (D((T, h,). SKr), PKr) = (T. h.). The signer 
confirms the fact that the high ord r bit sequence 
hi of the Hash total of the message M is included 
in the electronic seal which can be prepared only 
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by the certifier, and the signer may use it as a 
counterevidence when the certifier later denies the 
fact of transaction and does not send back the 
electronic seal of the certifier and escapes with the 
electronic seal of the signer. 

The present Invention is now explained for spe- 
cific embodiments. 

Rg. 5 shows a* configuration of an electronic 
transaction system to which the present invention 
applies. Rg. 6 shows a flow chart of a procedure 
for embodying the present invention in the configu- 
ration of Rg. 5. 

Where a credltabllity of Journal management in 
an intermediation terminal 406 of Rg. 5 is high, the 
elements in Rg. 5 are operated in accordance with 
the flow chart shown in Rg. 6. 



Step 601: 

A signer 401 prepares a contract I by a signer 
terminal 404 and records it In the signer terminal 
404. He/she also enters a name of the signer 401 
and a name of a certifier 409 to the signer terminal 
404. 



Step 602: 

The signer terminal 404 sends the contract I 
and the name of the signer 401 to a certifier 
terminal 407 via the intennnedration terminal 406. 



Step 602(a}: 

The intennediation terminal 406 records the 
transmitted contract I. 



Step 603: 

The certifier terminal 407 calls the certifier 409 
and displays the contract I and the name of the 
signer 401 . 



Step 604: 

The certifier 409 watches the display of the 
certifier tenminal 407 to confirm the contract of tiie 
signer 401 and depress a certificate accept button. 



Step 605: 

The certifier terminal 407 prepares received 
date as a certificate data such as "14:35:14, Feb* 
5 aiary 19, 1985*. 



Step 606: 

70 The certifier 409 Inputs a certifier secret key 
SKft. 



Step 607: 

76 

The certifier terminal 407 prepares a certifier 
electronic seal T - D (M, SKr) by decoding the 
certificate data M by the secret key' SKr of the 
certifier 409, and sends it to the signer 401 at the 
20 signer terminal 404 via the intermediation terminal 
406. 



Step 608: 

25 

When the intermediation terminal 406 receives 
T, it immediately opens It to persons concerned by 
transmitting it to the persons concerned, or printing 
It on publication. 

Step 609: 

When a signer terminal 404 receiv s T, It en- 
05 codes it by ttie certifier public key PKr to repro- 
duce the original certificate data. 

M = E(D(M.SKr).PKr) 

40 It Checks the content of the certificate data and 
checks the following. 

(1) If the time shown in the M is close to the 
reception time at the signer terminal 404, whether 
the true certifier 409 Is actually present at the 

45 certifier terminal 407. 

(2) If the time shown in the M is far from the 
reception time of the signer terminal 402 or makes 
ho sense, it is Judged that a false certifier is 
present at the certifier terminal 407. 

50 In the present example, M is "14:35:14 Feb- 
ruary 19, 1985" and the decision (1) is made. If (2) 
is met, a messag to terminat the transaction is 
sent to th certifier 409. 

55 
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Step 610: 

Th signer 401 enters the signer secret key SK 
s to th signer terminai 404. 



Step 611: 

The signer terminal 404 decodes the certificate 
data by using the signer secret key SKs to the 
reproduced certificate data to prepare a signer 
electronic seal V. 

V = D (M, SKs) 



Step 612: 

The signer terminal 404 sends the V prepared 
in the step 61 1 to the certifier terminal 407 via the 
intermediation terminal 406. 



Step 613: 

The intermediation tenminal 406 data- 
compression-encodes the set of V and I by using 
an intemnediation terminal secret key B. 

W « C(B. (V. I)) 

The contract I has been recorded in the inter- 
mediation terminal 406 in the step 602 (a). The V 
and W are opened to the persons concemed in the 
same manner as that in the step 608. 



Step 614: 

When the certifier terminal 407 receives the V, 
it encodes it by using the signer public key PKs. 

M' « E (V. PKs) 

« E (D (M, SKs) , PKs) 



Step 615: 

The certifier terminal 407 checks if the en- 
coded result M' in the step 614 matches to the 
certificate data M in the step 605. 

(1) If M' matches to the certificate data pre- 
pared in the step 605, it is judged that the signer 
401 himsetf/herself is actually present at the sign r 
terminal 404 and a transaction accept signal is sent 
to the intermediation terminal 406. 



(2) If M' does not match to th c rtificate 
data M prepared In tiie step 605, it is judged that a 
false signer Is present at th signer terminal 404 
and a transaction reject signal is sent to th inter- 
5 mediation terminal 406. 



Step 616: 

10 When the intermediation terminal 406 receives 
the transaction accept signal, it sends a signal of 
transaction agreement to the signer terminal 404 
and certifier tenminal 407 and records T, V and W. 
The corrtract I is deleted from the record. 

75 When 'the intenmediation terminal 406 receives 

the transaction reject signal, it sends a signal of 
transaction disagreement to the signer terminal 404 
and certifier terminal 407, and deletes the records 
of T, V, W and 1. 

so 

Step 617: 

When the certifier terminal 407 receiv s the 
25 signal of transaction success, it records the con- 
tract I and the T. V, W in the file 411. and the 
certifier keeps the file 41 1 . 



so Step 618: 

When the signer terminal 404 receives ttie 
signal of transaction success, it records the con- 
tract 1 and the T. V. W in the file 403, and the 
35 signer 401 keeps the file 403. 



Modification 1 of tiie first embodiment 

40 If the contract I is confidential infonmation, the 

encoding of the contract by a conventional cryp- 
tograph may be added. A secret key X of the 
conventional cryptograph has been previously ex- 
changed between the signer and the certifier, and 

45 the secret key X is also sent to the intermediation 
terminal 406. The steps 602. 602 (a) and 603 are 
modified as foltows. 



so Step 602: 

The signer terminal 404 prepares a crypto- 
graph r by encoding the contract I by using the 
secret k y X of the conventional cryptograph. 
55 Then, th signer terminal 404 sends the cryp- 
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tograph 1' of the contract and the name of the 
signer 401 to the certifier terminal 407 via the 
Intemnediation terminal 406. 



Step 602.(a): 

The intermediation terminal 406 decodes the 
cryptograph I' of the contract by using the secret 
key X of the conventional cryptograph to prepare io 
the original contract I. Then, the Intenmediation 
terminal 406 records the name of the signer 401. 
the name of the certifier 409 and the contact L 



Step 603: 

The intermediation terminal 406 decodes the 
cryptograph I* of the contract by using the secret 
key X of the conventional cryptograph to prepare 20 
the original contract I. Then, the certifier terminal 
407 calls the certifier 409 and displays the contract 
I and the name of the signer 401 . 

Modification 2 of the first embodiment 

In the step 606 or 610 of the fir$t embodiment, 
if the certifier secret key SKr or signer secret key 
SKsto be entered by the certifier or signer is long, 50 
a certain number of bits of the secret key may be 
recorded on a magnetic card and the remaining 
bits are memorized by the certifier 409 or signer 
401 as a secret number. When the certifier 409 or. 
signer 401 enters the secret key, he/she sets the 35 
magnetic card and enters the secret number, and 
the. terminal synthesizes the secret key teased on 
those input information. 

In a second embodiment, a high credltability is 
not put on the Intermediation terminsU 408 of Rg. 5 4o 
but the Journal information is replaced by the elec- 
tronic seal to eliminate the Journal management. 
The operations of the elements in Rg. 5 are ex- 
plained with reference to a flow chart of Rg. 7. 



Step 501: 

The signer 401 enters a transaction message I 
to the signer terminal 404 and enters the secret so 
key SKs of himself/herself, the name of the signer 
401 and the name if the certifier 409". 



Step 502: 

The signer terminal, 404 prepares Ek (I) by 
encoding the transaction message I by -using the 
cryptograph key k. and sends Er (I) , the name of 
the signer 401 and the name of the certifier 409 to 
the certifier terminal 407. 



Step 503: 

The certifier terminal 407 decodes th transac- 
tion message I by using the cryptograph key k, 

1 = (Ek (I)) 

and it displays the transaction message I on a 
screen of the certifier terminal 407. 



Step 504: 

The certifier watches the transaction message I 
displayed on the display screen of th certifier 
terminal 407, and If he/she Judges that he may 
proceed with the transaction, he/she enters his/her 
secret key SKr. 



Step 505: 

The certifier terminal 407 prepare data T of a 
predetennined fbnmat For example, the data T 
represents a current time such as "15:32:12 April 
11,1985". 

Step 506: 

The data D is decoded by using the secret key 
R in a predetermined public key cryptograph sys- 
tem to prepare D (T, SKr), which is sent to the 
signer terminal 404 via the intermediation terminal 
406. 



Step 507: 

The intermediation terminal 406 starts its op- 
eration in response to the reception of D (T, SKr). 



Step 508: 

The signer terminal 404 encodes D (T, SKr) by 
using the certifier public key PKr to prepare T = 
E (D(T, SKr). PKr). If T matches to the predeter- 
mined format, it is Judged that the certifier 409 
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himsetf/hersdif is actually present at the certifier 
terminal 407. In the present example, since the 
content of T is same as that of T. that is, "15:53:12 
April 11, 1985", the above judg ment is made. 



Step 509: 

The signer 401 knows that the certifier 409 
himself/herself is present at the certifier terminal 
407 and the certifier 409 has judged to accept the 
transaction of the transaction message L The sign- 
er 401 depresses the seal accept button of the 
signer terminad 404 in order to prepare his/her 
electronic seal. 

Step 510: 

The signer terminal 404 prepare the following 
cryptograph data C (10. I) by using the transaction 
message I as the cryptograph key. 

(1) Cli(IO) is a j-btt length output data derived 
by encoding a j-bit length Input data 10 by an m-bit 
length cryptograph key h. The cryptograph system 
has been predetermined. In this cryptograph sys- 
tem, it is difficult to determine the cryptograph key 
li based on the input data 10 and the output data IQ 
(»). 

(2) The transaction' message is sectioned 
into n m-bit blocks l„ ... !„. If the length of the 
last block l„ does not reach m bits, bits are 
added to attain the m-bit block l„. 

(3) The input data 10 is encoded by the Key I 
(ito produce O,. 

Cli (I) 01 

I = 1 

(4) 0| is encoded by the key l|+i to produce 

Oi*i . 

Cl,*i <Oi)-OI,.i 

(5) i + 1 — i. If i S n-1 . the process returns to 
(4). Othen^vlse. 0|*i = On is outputted. 

The encoded message On is called a Hash 
total of the transaction message I and expressed 
by C (K). I). 

C (10. 1) = O „ 

T and 0 (!0, 1) are combined to prepare 
W a (T, C(IO. I)) 



Step 511: 

W is decoded by the public key cryptograph 
system by using th secret key SKs to prepare the 
6 electronic seal D (W. SKs), which is sent to the 
. certifier terminal 407 via the intermediation terminal 
406. 



70 Step 512: 

The intermediation terminal 406 records D (W 
SK5). 

75 

Step 513: 

The certifier terminal 407 encodes D (W, SKs) 
by the signer public key PKs to prepare W. 

W = E (D{W, SKs) . PKs) 

It also prepares a Hash total C (10, I) to the 
transaction message I in the same mann r as the 
25 step 510. 

• If r = T and C (lO, V) « C (10, 1) when W = 
fT , C(IO, 1')), T « T and 0 (10. V) = C(IO. I)- is 
displayed on the screen. 

30 

Step 514: 

The certifier 409 watches T' » T and C (lO, 
I') = C (10, I)" displayed on the certifier terminal 

35 407 to judge that D (W, SKs) was prepared by the 
signer 401 himsetfyherself t>ased on the transaction 
message I. and decides to prepare and send the 
electronic seal of the certifier 409 himsetf>Tierself. 
He/she depresses an electronic seal pr pare/sarxj 

40 button of the certifier terminal 407. 



Step 515: 

45 The certifier tenninal 407 decodes W by the 
public key cryptograph system by using the cer- 
tifier secret key SKr to prepare the electronic seal 
D (W, SKr). K sends D (W, SKr) to the inter- 
mediation tenminal 406 and the signer tenminal 404. 

50 

Step 516: 

The intermediation terminal 406 records D (W, 

6S SKr). 
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Step 517: • ^ 

The signer terminal 404 encodes D (W; SKr) 
by the public key cryptograph system by using the 
certifier public key PK r to prepare W. 5 

W" = E (D(W. SKr) , PK r) 

If W* B W. It is judged that D (W, SKr) was 
prepared by the certifier 407 himself/herself based lo 
on the transaction I, and the signer terminal 404 
sends a signal "acknowledged" to the intermedia- ' 
tion terminal 406. 

75 

Step 518: 

When the intermediation temninal 406 receives 
the "acknowledged" signal from the signer terminal 
404, It erases the recorded D (W, SKs) and D (W, • 20 
SKr) and terminates the operation. 

Step 519: 

25 

The signer terminal 404 records the transaction 
message 1, electronic seal D (W, SKs) of the ^gner 
401 and electronic seal D (W, SKr) of the certifier 
409 in the certifier file 411, and terminates the 
operation. 30 

Step 520: 

The certifier tenminal 407 records the transac- as 
tion message I. electronic seal D (W, SKs) of the 
signer 401 and electronic seal D (W, SKr) of the 
certifier 409 in the certifier file 411, and terminates 
the operation. 

40 

Step 521: 

The signer 401 keeps the signer file 403. 

45 

Step 522: 

The certifier 409 keeps the certifier file 411. 

50 



Modification 1 of second embodiment 

In the step 518 of th second embodiment the 
intermediation terminal 406 may record the elec- 
tronic seals D (W, SKs) and 0 (W, SKr) instead of 
erasing them* to keep them as an evidence of 
transaction. 



Modification 2 of second embodiment 

In the steps 501 and 504 of the second em- 
bodiment, a portion of information on the secret 
key may be recorded in a magnetic card or tC card 
and the signal/certlfier memorizes th rest of the 
information on the secret key as a secret number. 
When the secret key SKr is to be entered, the 
secret key is synthesized from the readout of the 
information from the magnetic card or IC card and 
the key entry of the secret number. 



Modification 3 of second.embodlment 

In the step 501. 504, 509 or 514 of the second 
embodiment, a checking function of the person by 
voice pattern or fingerprint before input operation 
may be added to the terminal. 

Fig. 8 shows a flow chart of a procedure for 
transacting by an electronic seal .with a time limit 
for an effective period In accordance with a third 
embodiment of the configuration shown in Rg. 5. 

Steps 711 -713 which are different from the 
flow chart of Rg. 7 are primarily explained. 



Step 711: 

The signer terminal 404 prepares the time limit 
of the effective period of the electronic seal in a 
predetermined data format to set the time limit V. 
For example, the time limit V is "17:30:00 April 11, 
1985". 

The previously prepared T and C (10. I) and 
the V are combined to prepare 

W = (V, T, C (10, 1)) 



Step 511: 

W is decoded by the public key cryptograph 
system by using the secret key SK s to prepare D 
(W, SKs) . which is sent to the certifier tenminal 
407. 



55 
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Step 712: 

^\ 

Th certifier terminal 407 encodes D (W, SKs) 
by th signer public key SK r 408 to prepare W. 

W = E {D(W. SKs). SK r) 

tt also prepares a Hash total C (10, I) for the 
transaction message I in the same manner as the 
step 510. 

If r = T and C (10, 1') =s C (lO, I) and V is of 
a predetermined format when NAT « (V*. T, C (lO, 
I)), then T* s T and C (10. r) = C (lO, I)" and 
mme limit of electronic seal « \r " are displayed 
bn the screen. In the present example, the content 
of V is same as that of V. that is, -15:30:00 April 
11,1985". 



Step 713: 

The certifier 409 watches "T « T and C <IO, 
r) «= C (lO, I)" and mme limit of electronic seal = 
V • displayed on the certifier terminal 407 and 
judges that D (W, SKg) was prepared by the signer 
401 himself/hersel based on the transaction mes- 
sage I and the time limit is V. and decides to 
prepare and send the electronic seal of the cer- 
tifier. He/she then depresses the electronic seal 
prepare/send button of the certifier terminal 407. 

In the third embodiment, the second and third 
modifications of the second embodiment equally 
apply. 

In accordance with the above first and second 
emt>odiments. the electronic transaction which 
meets the following conditions is provided. 



(I] Advantages concerning the first embodiment 

(1) Only the sender can prepare the signed mes- 
sage. It cannot be forged by a third person. 

This is because the encoded message V of the 
certificate data can be prepared only by using the 
secret key SKs which is owned only by the signer. 
If the third person attempts to transact with V other 
than V of the certificate data, the certifier can 
detect in the step 614 that the signer is a false one, 
and the persons concerned who have the public 
key PKs can detect that the transaction is not 
effective because the encoded results of T and V 
publicized by the intermediation terminal, by using 
the public key PKs of th certifier and signer do not 
match each other. 



(2) The receiver cannot modify the signed mes- 
sage. 

The set of th encoded message V of the 

5 certificate data and the contact message I is data- 
compression-encoded by the* secret key B .of the 
intermediation terminal and the resulting Hash total 
W is recorded and opened to the persons con- 
cerned. Accordingly, if one of the parties who has 

10 the encoded message V of the certificate data and 
the contract message I brings the data and en- 
codes the contract message by the certifi r public 
key PKr in font of the other party, and causes the 
intermediation terminal to datarcompresston-en- 

t5 code the set of the encoded messag and V to 
produce W, and W is compared with th pre- 
viously opened result W, then the content certifica- 
tion is attained. If W = W, the contents are id n- 
tical and H W « W, the contents are not identical. 

20 Because the .encoded messages T and V of 
the certificate data are opened to the persons con- 
cerned during the transaction, the persons con- 
cerned can check who are now transacting. Ac- 
cordingly, it is hard to a third person who has 

25 Stolen the secret key to conduct an unauthorized 
transaction as if he were the sender or receiver. 



(3) The sender and receiver cannot later deny the 
30 fact of transmission and reception. 

In order for ttie electronic transaction to be 
effective, the party must enter its secret key at 
least once and responds to the call from the other 

35 party. That is, the party is double-checked. Wh n 
the party responds to the call in the terminal, the 
person may be checked by the fact that he/sh has 
the magnetic card as shown in the modification 2 
of the embodiment or the person may bo checked 

40 by the voice pattem or fingerprint so that the 
personal check function is further enhanced. 

Since the encoded messages T and V of the 
certificate data are opened to the persons con- 
cerned during the transaction, the persons con- 

45 cemed can check who are now transacting. Ac- 
cordingly, it is hard for a third person who has 
stolen the secret key to conduct an unauthorized 
transaction as if he/she were sender or receiv r 
because it may be detected by the true send r or 

50 receiver or ttre persons concemed. 

The Hash total W for assuring the content of 
the contract message I is once operted and then 
recorded &nd kept in th intermediation terminal. It 
is therefore difficult to deny the fact of transmission 

55 or reception by modifying or destroying the record. 
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" In the present system, the, content of commu- 
nication is not disclosed when th data is opened . 
at the Intemiedlation temiinal. What is opened at ' 
the intemiediation temninal is not the communica- ^ 
tion text Itself but the Hash total which Is prepared 
by data-compression-encoding the set of the com- 
munication text and the encoded message of the 
certificate data. It is Impossible to estimate the 
communication text based on the Hash total. 

Since the data which the intenmediation termi* 
nal records and keep are the certificate data T and 
V and the Hash total W, the load for maintenance 
is lower than that when the entire contract message 
I is maintained. 



[II] Advantages conceming the second embodiment 

(1) The third person cannot conduct transaction as 
If he/she were the signer by the following reasons. 

(a) Check of possession of secret key. 

The electronic seal D (W, SKs) can t>e pre- 
pared only by using the secret key SKs which only 
the signer possesses. If the third person prepares 
the electronic seal D (W, SKs') by the key SK s' 
other than the secret key SKs, the certifier terminal 
detects that it is a false electronic seal in the step 
513. 

It Is difficutt for the third person to conduct the 
transaction unless he/she knows the secret key of 
the signer. 

(b) Check by response to call 

The third person who attempt to conduct an * 
unauthorized transaction must depress the seal ac- 
cept button In the step 509. The certifier depresses 
the transaction accept button in the step 504 and 
the call is made to the signer In the step 508. 
Accordingly, it is hard for the third person to con- 
duct the transaction unless he/she prevents the . 
signer from responding to the call. 



(2) Third person cannot conduct unautiiorized 
transaction as if he/she were certifier by the follow- 
ing reasons. 

(a) Check by the possession of secret key 

The lectronic seal D (W, SKr) can be pre- 
pared only by using the secret key SKr which Is 
possessed only by the receiver. If the third person 
prepares the electronic seal D (W, SKr) by the key 
SKr' other than the secret key SKr, tiie signer 



terminal detects that it is a false electronic key in 
the step 517. The same is true for the decoded 
m ssage D (T. SKr) of the ID. A false message D - 
(T, SKr') is detected in the step 508. Accordingly. 
5 it is hard for the third person to conduct the trans- 
action unless he/she knows the secret key of the 
third person. 



70 Check by response to call 

The third person who attempts to conduct the 
unauthorized transaction must depress the transac- 
tion accept button and tiie seal accept button in the 

75 steps 504 and 514. The call to the signer is first 
made, and then the calf to the certifier is made in 
the certifier terminal. Accordingly, it is hard for the 
third person to conduct the transaction unless 
he/she prevents tiie certifier from responding to the 

20 call. 



(3) Certifier cannot modify the transaction message 
by the following reasons. 

(a) Check by possession of secret key 

Let us assume that tiie certifier prepared a 
forged message 1' of the transaction message I. in 
30 this case, the certifier cannot prepare th electronic 
seal D (W, SKs ) which the signer should have 
prepared. 

W = (T, C (10, 1)) 

35 

Since the certifier is unaware of the secret key SKs 
of the signer, he/she cannot prepare D (W, SKs) 
when W is given. Let us assume that the certifier 
has prepared D (W, SKs) by using ttie key SKs 
40 having a bit length of 200 bits. A probability that 

D (W. SKs') = D (W, SKs) 

Is 1^*" 8 x 10-*\ which is practically nulL If a third 
45 person in a fair position calculates E (D(W, SKs). 
PKs) and E {D(W. SKr), PKr) for the certifier data 
r. and D (W. SKg') and D (W. SKr), tiiose do not 
match. It is thus seen that one of the electronic 
seals is false and the data set of the certifier is 
50 Invalid. If SK,* is the true secret key. 

W = E (DOAT, SKs'). PKs) 

= E (D(W. SKr), PKr) 

55 
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should be met. Accordingly, it is hard for the third 
person to modify the contract message unless 
he/she is aware of the secret key of the signer. 

Check by response to call 

In the modification 1 of the embodiment, the 
evidences of the electronic seals D (W, SKs) and D 
(W, SKr) must have been left in the step 518. The 
certifier who attempts to modify the transaction 
message must prepare the response to the call by 
the signer In the step 509 In order to leave the 
record. Accordingly, even If the certigier coukJ 
know the secret key SKs of the signer, it is difficult 
for the certifier to modify the transaction message 
unless the certifier can issue the response In the 
step 509 without being noticed by the signer. 



(4) Signer cannot deny the content of transaction 
after transaction has been executed. 

This is by the same reason as that for (3) in 
which the certifier cannot modify the transaction 
message. 

In the present system, the content of commu- 
nication is not disclosed In the intermediation tenmi- 
nai. The information transmitted to the intermedia- 
tton terminal is not the communication text itself 
but the Hash total derived by data-compression- 
, encoding the communication text, and it is impos- 
sible to guess the original communication text from 
the Hash total. 



(5) Certifier cannot escape with electronic seal of 
signer 

(a) Check by time limit of electronic seal 

The electronic seal D (W, SKs) of the signer 
includes the time limit V for the electronic seal 
which the signer has prepared in the predeter- 
mined form. 

W = (V. T. C (10, 1)) 

If the response from the certifier is not received 
before the time limit V, the signer judges that the 
certifier has no intention to conduct the transaction 
and invalidates the electronic seal D (W, SKs) by 
informing the electronic seal to the authentication 
organization. As a result, it is impossible for the 
certifier to escape with the electronic seal and 
make unauthorized use thereof. The autti nication 



organization has a" function to assure the invalida- 
tion of the electronic seal and it is utilized only 
when the necessity to prove the invalidity of the 
electronic seal arises. , 

Rg. 9 shows another configuration of tiie elec- 
tronic transaction system, to which the present in- 
vention is applied, and Rg. 10 shows, a flow chart 
of a procedure in a fourth embodim nt of the 
present invention in the configuration of Rg. 9. 

The operations of the elements of Rg. 9 are 
explained with reference to the flow chart of Rg. 
10. 



^5 Step 5010: 

The signer 401 enters the transaction message 
M from a message file 4020 to a. signer lectronic 
transaction unit 404, and enters his/her secret key 
20 SKe, the name of signer 401 and the name of the 
certifier 426 by an IC card 4030. 



Step 5020: 

25 

The signer electronic transmission unit 404 en- 
codes the transaction message M by using the 
message cryptograph key K of a messag encoder 
4050 and a memory 4060 to prepare EK(M). and 
30 sends Ek(M), the name of the signer 401 and the 
name of ttie certifier 426 to the certifier lectronic 
transaction unit 423 through a communication con- 
trol unit 413. 

35 

Step 5030: 

The signer electronic transaction unit 404 pre- 
pares a compressed cryptograph H(M) by a com- 
40 pression function generator 4O70 by using the 
transaction message M as a cryptograph key. 

(1) H(M) is in 8-bit output data d nved by 
compressior>-encoding an d-bit input data l(0) by 
an 8-tHt cryptograph key K1 , The cryptograph sys- 

45 tem has been predetermined. In this cryptograph 
system, it is difficult to detemnine the cryptograph 
key K1 based on the input data 1(0) and th output 
data H(M). 

(2) The transaction message is sectioned 
so into n 56-bit bbcks M1, M2. Mn. If th length 

of the last btock Mn does not reach 56 bits, bits 
"0" are added until ttie length of the block Mn 
reaches 56 bits. 

(3) One parity bit is added to every seven 
55 bits of tiie bkx:ks so tiiat ttie block lengtii is ex- 
panded to 64 bits. Th expanded blocks are des- 
ignated by K1, K2. Kn. 
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(4) The input data ) \s encoded by' the 
key Ki, and the encoded resuit is exclusively ORed 
with 1(1-1) to produce 

10) = 1(1-1) + EKi (!(i-1)) 

The above process is rejDeated for 1 = 1, 2. n. 
The initial value 1(0) is a predeterminer one. 

(5) The finally determined l(n) in the step (4) 
is used as H(M), which is divided into high order 
and low order data hi and h2. 

H(M) - (hi. h2) = l(n) 



Step 5040: 

The certifier electronic transaction unit 423 de- 
codes the encoded message EK(M) by using the 
message encoder 422 and the cryptograph key K. 

M = DK (EK(M)) 

ft informs the transaction message M to the cer- 
tifier 426. 



Step 5050: 

The certifier 426 watches the transaction mes- 
sage M decoded in the step 5040, and if he/she 
Judges that the transaction may be proceeded, 
he/she enters his/her secret key SKn by the IC 
card 424. 



Step 5060: 

The certifier electronic transaction unit 423 
compression-encodes the transaction message M 
by using the compression encoder 420 in the same 
manner as the step 5030 to prepare H(M) = (hi. 
h2). It also prepares a data in a predetermined 
fomnat as an ID T by a clock generator 417. In the 
present example, the ID T may be a current time, 
for example. "15:53:12 April 11, 1985". 



Step 5070: 

A tally Impression certificate data W1 is pre- 
pared by a certificate data preparation circuit 418 
from the ID T and the high order data hi derived 
from the encoded data l-l(M) by a divider 419. 

W1 = (T. hi) 



Step 5080: \ 

The tally impression certificate data W1 is de- 
coded by the seal/tally impression encoder 415 by 
s usin^ the secret key SKr by the predetermined 
public key cryptograph system to prepar D (Wl, 
SKr), which is sent to the signer electronic transac- 
tion unit 404. 

ro 

Step 5090: 

The signer electronic transaction unit 404 en- 
codes D (Wl, SK r) by the seal/tally impression 

75 encoder 412 by using the certifier public key PKr 
of the memory 4060 to prepare Wr = (E (D(W1, 
SKr), PKr). The encoded result WV is compared 
by the comparator 4110. If T* match s to the 
predetermined format and hi' is equal to hi pre- 

20 pared in the step 5030, it is judged that the certifier 
426 himself/herself is present at the certifier elec- 
tronic transaction unit 423. In the present example, 
the content of V is equal, to that of T. that is, 
"15:53:12 April 11, 1985" and the above judgement 

25 is made. 



Step 5100: 

30 The signer 401 notifies that the certifier 426 

hinself/hersetf is at the certifier electronic transac- 
tion unit 423 and the certifier 426 has decided to 
accept the transaction for the transaction message 
M. The signer 401 depresses the seal accept but- 

35 ton to prepare his/her electronic seal. 



Step 5110: 

40 The signer electronic transaction unit 404 en- 
ters (hi, h2) prepared in the step 5030 and T 
prepared in the step 5090 to the certificate data 
preparation circuit 4090 to prepare the tally certif- 
icate data W2. 

46 

W2«fr.h1.h2) 



Step 5120: 

50 

The tally impression certificate data W2 is de- 
coded by the seal/tally impr ssion encoder 412 by 
using the secret key SKs by the predetermined 
public key cryptograph system to prepare D (W2, 
55 SKs), which is sent to the certifier electronic trans- 
action unit 423. 
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Step 5130: 

The certifier electronic transaction unit 423 en- 
codes D {W2, SKs) by the seal/tally impression 
encoder 415 by the signer public key PKs of the 
memory 421 to prepare W2". 

W2- = E(D(W2.SKs), PKs) 

The comparator 4160 checks if T" = T and (hf. 
h2-) = (hi. h2) when W2- = (T", hi". h2-), and 
informs the result to the certifier 426. 



Step 5140: 

When the certifier 426 confirms that the result 
in the step 5130 is T" = T and (hi", h2") = (hi, 
h2)", he/she judges that D (W2, SKs) has been 
prepared by the . signer himself/herself based on 
the transaction message M, and decides to prepare 
and send the electronic seal of the signer. He/she 
depresses the . electronic seal prepare/send button 
of the certifier electronic transaction unit 423. 



Step 5150: 

The certifier electronic transaction unit 423 pre- 
pares the seal certificate data W2 by the certificate 
data preparation circuit 418 from (hi, h2) and T 
prepared in the step 5060. 



Step 5160: 

The certifier electronic transaction unit 423 de- 
codes W2 by the seal/tally impression encoder 415 
by using the certifier secret key SKr of the IC card 
424 by the public key cryptograph system to pre- 
pare D (W2, SKr), which is sent to tiie signer 
electronic transaction unit 404. 



Step 5170: 

The signer electronic transaction unit 404 en- 
codes D (W2. SK r) by the sealAally impression 
encoder 412 by using tiie certifier public key PKr 
of the memory 4060 by the public key cryptograph 
system to prepare W**. 

W2- = E (D(W2, SKr). PK r) 

If the comparator 411 indicated that T" » T and - 
(hi-, h2*) = (hi, h2) when W2- = (T". hi", h2"). 



it is judged that D (W2. SKr ) has been prepared 
by the certifier ^426 himseff/herseif based on the 
transaction message M. 

5 

Step 5180: 

The certifier electronic transaction unit 404 
records the transaction message M, the electronic 
10 seal D (W2. SKr) of the signer 401 and tiie elec- 
tronic seal D (W2. SKs) and tally impression O • 
(W2, SKr) of the certifier 426 In the message file 
4020, and terminates the operation. 

75 

Step 5190: 

The signer 401 keeps the message file 4020. 

20 

Step 5200: 

The certifier electronic transaction unit 423 
records the transaction message M. the electronic 
25 seat 0 (W2, SKs) of the signer 401. and tii elec- 
tronic seal D (W2, SKr) and tally impression D - 
(W2, SKr) of the certifier 426 in the message file 
425, and terminates the operation. 

30 

Step 5210: 

The certifier 426 keeps the message file 425. 

35 

Modification 1 of the embodiment 

In the steps 5010 and 5050 of the pr sent 
embodiment a portion of the information on the 

40 secret key is recorded in a magnetic card or IC 
card and the rest of the Information of the secret 
key is memorized by the signer or certifier as a 
secret number. When the secret key SKs or SKr is 
to be entered, it is inputted by reading the informa- 

45 tion from the magnetic card or IC card and keying 
the secret number by the secret key SKsor SKr. 



Modification 2 of the embodiment 

50 

In tiie step 5010. 5050, 5100 or 5140 of the 
present embodiment the terminal may confirm the 
person by the voice pattern or fingerprint before 
the signer or certifier enter the information. 
55 In the present modification, the signer or cer- 
tifier cannot escape with the electronic seal t>e- 
cause of the tally Impression check. If tiie certifier 
does not send the certifier's electronic seal O (W2, 
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SKr) and denies the transaction after the signer 
has sent th signer's electronic seal D (W2, SK r) 
when the signer and the certifier electronically 
transact the transaction message M, the signer 
may prove that the certifier attempts to deny the~ 
fact of transaction and escape with the signer's 
eiectronic sea) by decoding the tally impression by 
the public key PKr of the certifier and checking 
the content thereof. The tally impression D (W1, 
SKr) sent by the certifier to the signer prior to the 
exchange of the electronic seal includes the high 
order data hi of H(M) « (hi. h2) prepared by 
compression-encoding the transaction message M 
sent by the signer. 

W1 = (T. hi) 

It is difficult to prepare the secret key which ' 
meets 

D(W1.SKrO = D(W1,SKr) 

by the same reason as the third person cannot 
conduct the transaction as if he/she were the cer- 
tifier. Accordingly, it is only the certifier who has 
the secret key SKr that can prepare the tally Im- 
pression which includes the high order data of the 
compression-encoded message of the transaction 
message M. 

Fig. 1 1 shows other configuration of the system 
of the present invention, and Rg. 12 shows a flow 
chart of a procedure in a fifth embodiment of the 
present invention in the configuration of Rg. 11. 
Operations of elements in Rg. 11 are explained 
with reference to tiie flow chart of Rg. 12. 



Step 2010: 

The signer 104 enters the transaction message 
M from the message file 110 to the signer elec- 
tronic transaction unit 111. 



Step 2040:- 

Th certifier 112 confirms the transaction mes- 
sage tA displayed on tiie display 114. 

s 

Step 205: 

The certifier 112 reviews the content of tiie 
10 transaction message M and accepts to proceed 
with the transaction- 



Step 206: 

75 

The certifier 112 enters the grace period T, of 
the certifier electronic tally impression N, and the 
sender/receiver ID to the certifier electronic trans- 
action unit 122 by the keyboard 115. 

Step 207: 

The certifier electronic transaction unit 122 ed- 
25 its the input grace period T,. sender/receiver ID, 
time information T, generated by tiie timer 120 and 
information for identifying the content of the trans- 
action message M through the transaction status 
data edit drcuit 118 to prepare {produce) the trans- 
30 action status data W, = (Ti, H,). 



Step 208: 

35 The certifier electronic transaction unit 122 en- 

codes the transaction status data W, by the 
seal/tally Impression encoder 117 by using the 
secret key SKpof the certifier read from the IC card 
113 to prepare (produce) the certifier electronic 

40 tally impression N, = E (SKr, W,), which is sent to 
the signer electronic transaction unit 111 by the 
communication control unit 116. 



Step 2020: 

The signer electronic transaction unit 111 
sends the input transaction message M to the 
certifier electronic transaction unit 122 by the com- 
munication control unit 107. 



Step 2030: 

The certifier electronic transaction unit 122 re- 
ceives the transaction message M and displays it 
on the display 114. 



45 Step 209: 

The signer electronic transaction unit 111 de- 
codes the certifier electronic taily impression N, by 
the seal/tally impression encoder 1060 by using the 
50 public key PKr of the certifier registered in tiie 
memory 109 to prepare the transaction status data 
W. = D (PKr, N.), which is displayed on tiie 
display 1020. 

55 
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Step 210: 

The signer 1040 confirms th content of the 
transaction status data W, displayed on the display 
1020 to check on the validity thereof. 



Step 211: 

The signer 1040 accepts to proceed with the 
transaction depending on the result of the validity 
check of the transaction status data W,.' 



Step 212: 

The signer 1040 enters the grace period T, of 
the signer electronic seal N, and the 
sender/receiver ID to the signer electronic transac- 
tion unit 111 by the keykjoard 101 0. 



Step 213: 

The signer electronic transaction unit 111 edits 
the input grace period Tj, sender/receiver ID, time 
information To generated by the timer 108 and 
Information for identifying the content of the trans- 
action message M through the transaction status 
data edit circuit 1050 to prepare the transaction 
status data W, = (T^, H,). 



Step 214: 

The signer electronic transaction unit 111 en- 
codes the transaction status data W, by the seal/ 
tally impression encoder 1 060 by using the secret 
key SKs of the signer read from the IC card 1030 
to prepare the signer electronic seal N, = E (SKs, 
Wi), which is sent to the certifier electronic transac- 
tion unit 122 by the communication control unit 
107. 



Step 215: 

The certifier electronic transaction unit 122 de- 
codes the signer electronic seal N, of the seal/tally 
impression encoder 117 by using the public key 
PKs of the certifier registered in the memory 119 to 
prepare the transaction status data W, =a d (PKs, 
N,), which is displayed on the display 114. 



Step 216: 

Th certifier 112 confirms the content of the 
transaction status data Wa displayed on the display 
5 il4 to check the validity thereof. 



Step 217: 

70 The certifier 112 accepts to proceed with the 
transaction depending on the result of the validity 
check of the transaction status data W,. 



75 Step 218: 

The certifier 112 enters the grace period T, of 
the certifier electronic seal and the 

sender/receiver ID to the certifier electronic trans- 
SQ action unit 122 by the keyboard 115. 



Step 219: 

25 The certifier electronic transaction unit 122 ed- 
its the input grace period T,, sender/receiver ID, 
time information To generated by tiie tim r 120 and 
infonmation for identifying the content of the trans- 
action message M through the transaction status 

30 data edit circuit 118 to prepare the transaction 
status data Wi « (T,, H,). 



Step 220: 

36 

The certifier electronic transaction unit 122 en- 
codes the transaction status data Wa by the 
seal/tally impression encoder 117 by using the 
secret key SK r of the certifier read from the IC 
40 card 113 to prepare the certifier electronic seal N, 
« E (SKft, W,). which is sent to ttie signer elec- 
tronic transaction unit 111 by the communication 
control unit 116. 

46 

Step 221: 

The certifier electronic transaction unit 122 
keeps the transaction message M and the elec- 
50 tronic seals N, and Ni of both parties in the m s- 
sage file 121. 
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Step 222: 

The sign r electronic transaction unit 111 de- 
codes the certifier electronic' seal Ns by th 
seal/tally impression encoder 1060 by using the 
public key PK^ of the certifier registered in the 
memory 109 to prepare the transaction status data 
W, D (PKr, N,), which Is displayed on the 
display 1020. 



Step 223: 

The signer 1040 confinns the content of the 
transaction status data Wi displayed on the display 
1 020 to check tiie validity thereof. 



Step 224: 

The signer 1040 accepts to proceed with the 
transaction depending on the result of the validity 
check of the transaction status data Wa. 



Step 225: 

The signer electronic transaction unit ill 
keeps the transaction message M and electronic 
seals N2 and N3 of both parties in the message file 
110- 

In the steps 211. 217 and 224 of the present 
embodiment the grace period information indicat- 
ing the period for pemnitting interruption of the 
transaction is included in the electronic seal and 
tally Impression. If the party who received the 
electronic seal or tally impression lodges an op- 
position- against the received electronic seal or tally 
Impression within the grace period, he/she is en- 
sured to invalidate the electronic seal or tally im- 
pression he/she already Issued by reporting the 
termination of the transaction to the public or- 
ganization by the third party. Thus, a dispute dur- 
ing and after the transaction can be prevented. 

If ttte party who sent the electronic seal or tally 
impression wishes to tenminate the transaction be- 
cause something wrong was found later, the trans- 
action can be tenminated by reporting it to the 
public organization within the designated grace p)e- 
riod. Thus, a wrong transaction is prevented. 

The grace period may be sent to any period by 
the sender of the electronic seal and tally Impres- 
sion while taking the time necessary for tii re- 
ceiver to confirm the content Into consideration. 
Thus, even if there Is a difference between the 
processing speeds of the apparatus for preparing 
and checking the electronic seals and tally Impres- 
sion of both parties, the system can be flexibly 



operated. Thus, the safety of the transaction is 
assured where the apparatus having diff rent per- 
formances such as a personal computer and a 
large scale computer. 
5 In accordance with the present invention, un- 
authorized act by not only the parties but also the 
third person is prevented and a highly reliable 
electronic transaction system is attained. 

70 

Claims 

1. An elecbr^nic transaction system for elec- 
tronically transacting between first and second tran- 

75 sacting party units (404, 407) by replacing a docu- 
ment with a computer message comprising: 

an intermediation unit (406) intervening between 
said first and second transacting party units and 
20 Including means for publicly displaying data; 

display means in said Intermediation unit for dis- 
playing a first decoded message derived by decod- 
ing a certificate data by the first transacting party 
25 by using a secret key of the ficstJransacting party, 
and a second decoded message derived by decod- 
, tng said certificate data by the second transacting 
party by using a secret key of the second transac- 
ting party; and 

30 

means for allowing to determine whether the tran- 
sacting parties are said first and second transacting 
parties who have their own secret keys, by a party 
having a public key of the parties in response to 

35 display data on said display means of tii Inter- 
mediation unit based on the fact that a first en- 
coded message derived by encoding th first de- 
coded message by using the public k y of the first 
transacting psurty coincides with a second encoded 

40 message derived by encoding the second decoded 
message by using the public key of the second 
transacting party. 

2. An electronic transaction system according 
to Claim 1 wherein said intermediation unit includes. 

45 said means for publicly displaying data as well as a 
third secret key and data recording means, stores 
therein said first and second decoded messages, 
receives transaction data each time the first or 
second transacting party sends the transaction 

50 data, data-compression-encodes a data prepared 
by arranging the first or second decoded message 
and the transaction data by using the third secret 
key, records and publicly displays the encoded 
result, data-compression-encodes the original com- 

55 munication message which the first or second tran- 
sacting party possesses by using the third secret 
key based on the fact that any change of the 
original data affects to the result of the data com- 
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pression encoding, compares the encoded result 
with the recorded data-compression-encoded result 
to certify the content of the transaction data. 

3. An electronic transaction system according 
to Claim 1 wherein the transaction is effective only 
¥rtien the transacting party has communicated vvith 
the other transacting party at least once and both 
transacting parties have used their own secret keys 
at least once. 

4. An electronic transaction system for elec- 
tronically transacting by repladng a document with 
a computer message, comprising: 

means for exchanging between a first transacting 
party and a second transacting party a first de- 
coded message derived by decoding a certificate 
data by a first transacting party by a public key 
cryptograph system by using a secret key of the 
first transacting party and a second decoded mes- 
sage derived by decoding said certificate data by a 
second transacting party by using a secret key of 
the second transacting party and keeping said first 
and second decoded messages: 

means for encoding the first decoded message by 
using the public key of the first transacting party by 
a third party having the public keys of the first and 
second transacting parties and encoding the sec- 
ond decoded message by using thie public key of 
the second transacting party by the third party 
when one of fhe first and second transacting par- 
ties provides the first or second decoded message 
to the third party; and 

means for comparing the encoded results to deter- 
mine whether the transacting parties are the first 
and second transacting parties having the secret 
keys based on the fact that the first encoded 
message derived by encoding the public key of the 
dirst transacting party and the second encoded 
message derived by encoding the second decoded 
message by using the public key of the second 
transacting party are equal. 

5. An electronic transaction system according 
to Claim 1 wherein the certificate data includes a 
third encoded message derived by encoding a 
predetermined first data message by a predeter- 
mined third cryptograph system by using the trans- 
action message in the transaction as a cryptograph 
key and a second data message of a predeter- 
mined format, said third cryptograph system has 
such a characteristic that it is difHcult to find a 
cryptograph k y other than the first transaction 
message which results in an encoded result of the 
•third encoded message for the given first data 
message, one of the first and second transacting 
parti s provides the first and second decoded mes- 
sages to a third party who has the public keys of 



the first and second transacting parties and knows 
a third cryptograph system, as w II as the transac- 
tion message so that the third party encbd s the 
first decoded message by using the public key of 
5 the first transacting party and encodes the second 
decoded message by using the putHic key of the 
second transacting party, it is determined that the 
encoded result matches with the original certificate 
data if both encoded results are equal, and it is 
70 determined that the transaction message matches 
with the originally prepared transaction message If 
the result derived by encoding the first data nr>es- 
sage by the third encoding system by using the 
transaction message as the cryptograph key. 
7 s 6. A electronic transaction system according to 

Claim 1 wherein when the first and second de- 
coded messages are exchanged k}etween the first 
and second decoded messages, said intennnedia- 
tion unit includes a storage, and the first and see- 
so ond decoded messages are exchanged between 
the transacting parties through the irttermediation 
unit and the Intermediation unit stores the first and 
second decoded messages until both parties re- 
ceive the decoded message of the other, check the 
25 contents the reof and second signals to the inter- 
mediation unit. 

7. An electronic transaction system according 
to Claim 5 wherein the second data messag in- 
cluded in the certificate data includes infomnation 

30 representing an effective period of an electronic, 
seal in the transaction, the third encoding system 
has such a characteristic that it is v ry rare in 
probability that the same encoded result is ob- 
tained when different certificate data are given, and 

35 wfien one of the parties received a false decoded 
message or does not receive the decoded mes- 
sage from the other party within the effectiv pe- 
riod after he/she has sent the decoded message, 
he/she declares the termination of transaction to an 

40 authentication organization so that the invalidation 
of the decoded message he/she sent is assured by 
the authentication organization. 

8. An electronic transaction system for elec- 
tronically transacting by replacing a document with 

45 electric information, characterized in that certificate 
data each ir>dluding data representing the accep- 
tance of a transaction message derived by modify- 
ing information representing transaction status for 
each transacting party and data representing a 

50 grace period for permitting opposition to the trans- 
action are exchanged to proceed with the transac- 
tion. 

9. An electronic transaction system according 
to Claim 8 wherein the modification of th transac- 

55 tion status information is made by an asymmetric 
key cryptograph system, on of the asymmetric 
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key Is secret, and information encoded by using 
th secret key is decoded by the other key. to 
Identify and certify the transacting party. 

10. An electronic transaction system according 
to Claim 8 wherein said grace period is determined 
by taking a time required to prepare and check the 
certificate data inherent to the transacting party into 
consideration, and Invalidation of the certificate 
data issued by the transacting party is assured by 
an authentication organization by declaring the ter- 
mination of the transaction to the authentication 
organization vrithin the grace period when the tran- 
sacting party has an opposition to the certificate 
data of the other transacting party. 

11. An electronic transaction system for elec- 
tronically transacting by replacing a document with 
electric information, comprising: 

means for predetermining a first certificate data 
preparation method for preparing certificate data 
indicating that a transaction message, has been 
informally accepted, and a second certificate data 
preparation method different from said first certif- 
icate data preparation method for preparing certif- 
icate data indicating that the transaction message 
has t>een formally accepted; 

means for providing a first certificate data for the 
transaction message by the first certificate data 
preparation method by a first transacting party, and 
sending it to a second transacting party; 

means for providing a second certificate data for 
the transaction message by the second certificate 
data preparation method by a second transacting 
' party after the reception of the first certificate data 
from the first transacting party; and 

means for providing a third certificate data for the 
transaction message by the second certificate data 
preparation method by the first transacting party 
after the reception of the second certificate data 
from the second transacting party to proceed with 
the transaction. 

12. An electronic transaction system according 
to Claim 11 wherein said first certificate data prep- 
aration method uses a predetermined public key 
cryptograph system, encodes first transaction sta- 
tus data representing tansaction status by a secret 
key to prepare the certificate data, and said second 
certificate data preparation method uses a pre- 
determined public key cryptograph system and en- 
codes second transaction status data different from 
said first transaction status data by a secret key to • 
prepare the certificate data. 

13. An electronic transaction system according 
to Claim 11 wherein said first transaction status 
data includes a first compression-encoded mes- 



sage derived by compression-encoding the ta-ans- 
action message by a first compression encoding 
metiiod. and said second transaction data includes 
a second compression-encoded message derived 
5 by compression-encoding the transaction message 
by a second compression encoding method other 
than the first compression encoding method. 

14. An electronic transaction method for elec- 
tronically transacting between first and second tran- 

10 sacting party units by replacing a deocument with 
a computer message comprising the steps of: 

providing an Intennediation unit irrtervening be- 
tween said first and second transacting party units 
75 and including means for publicly displaying data; 

displaying on said intermediation unit for a first 
decoded message derived by decoding a certif- 
icate data by the first transacting party by using a 
20 secret key of tiie first transacting party, and a 
second decoded message derived by decoding 
said certificate data by the second transacting par- 
ty by using a secret key of the second transacting 
party; and 

25 

determining whether the transacting parties are 
said first and second transacting parties who hav 
tiielr own secret keys, by a third party having a 
public key of the parties by refening to the display 

30 on said intermediation unit based on the fact that a 
first encloded message derived by encoding the 
first decoded message by using the public key of 
the first transacting party and a second encoded 
message derived by encoding the second decoded 

35 message by using the public key of the second 
transacting party are equal. 

15. An electronic transaction method for elec- 
tronically transacting by replacing a document with 
a computer message, comprising the steps of: 

40 

exchanging t>etween a first transacting party and a 
second transacting party a first decoded message 
derived by decoding a certificate data by a first 
transacting party by a public key cryptograph sys- 

45 tem by using a secret key of the first transacting 
party and a second decoded message derived by 
decoding said certificate data by a second transac- 
ting party by using a secret key of the second 
transacting party and keeping said first and second 

50 decoded messages; 

encoding the first decoded m ssage by using the 
public key of the first transacting party by a third 
party having the public keys of the first and second 
55 transacting parties and encoding the second de- 
coded messag by using .the public key of the 
second transacting party by the third party when 
one of the first and second transacting parties 
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provides the first or second decoded message to 
the third party; and ^ 

comparing the encoded results to determine vyheth- 
er the transacting parties are the first and second 
transacting parties having the secret keys based on 
the fact that the first encoded message derived by 
encoding the public key of the first transacting 
party and the second encoded message derived by 
encoding the second decoded message by using 
the public key of the second transacting party are 
equal. 

16. An electronic transaction method for elec- 
tronically transacting by replacing a document with 
electric inforrriation, comprising the steps of: 

predetermining a first certificate data production - 
scheme for producing certificate data indicating 
that a transaction message has been informally 
accepted, and a second certificate data production 
scheme different from said first certificate data 



production scheme for producing certificate data 
indicating that the transaction message has been 
formally accepted; 

5 providing a first certificate data for the transaction 
message by the first certificate data production - 
scheme by a first transacting party, and sending It 
to a second transacting party; 

10 providing a second certificate data for th transac- 
tion message by the second certificate data pro- 
duction scheme by a second tiwsacting party after 
the reception of the first certificate data from the 
first transacting party; and 

75 

providing a third certificate data for the transaction 
message by the second certificate data production 
scheme by the first transacting party after the 
reception of the second certificate data firom the 
20 second transacting party to proceed with the trans- 
action. 



25 



30 



3S 



40 



45 



SO 



65 



22 



0 214 609 



FIG. 2 A PRIOR ART 



II 









22 

.•■••.13.12 y 








BLOCK 
ENCODER 

EK 


■>,^0I .02. - -.On-i 


f 


■ ~- 

EXCLUSIVE OR 

\ 



'21 

.SECRET 
KEY K 



On 



FIG. 3 PRIOR ART 




0 214 609 




0 214 609 




0 214 609 




0 214 609 



FIG. 7 



SIGNER 



! SIGNER TERMINAL 




1-2 

0.0 

-lUJl- 

<oi- 

UJU3 
CO<ffi 



521 



UJ J 

uji: 



ENCODE 
TRANSACTION 
MESSAGE K 
I EK(I) 



502 



508 

] D(T«SKR)i 



ENCODE D(T,SKF* 

T'=E(D{T,SKR|PKR) 

OK IF T'lS OF 

PREDETERMINED 
FORM 



1 



PREPARE 

CETIFICATE DATE W 
W=(T,C(IO, I )) 



I 



PRODUCE 
ELECTRONIC 
SEAL 

D(W, SKS ) 




51 



D(W.SKS) 



517 



CHECK 

ELECTRONIC SEAL 
CHECK OK IF 
W^=E(D(W3KR)tPWM 

w^crjcdo, !"» 



519 



D(W.SKS) 




COPY I, 
D(W.SKS), 
D(W,SKR)INTO RLE 



INTERMEDIATION 
TERMINAL 

EKCI) 



sos'-M- 



505-H-- 
507 



START 
INTERMEDI- 
ATION 

TERMINAL 



-510 



RECORD 
OCW,SKS) 



D(W.SKS) 



516 




RECORD 
0(W3KR) 



'518 



ERASE 

0(V«;SKS), 

D(W,SKR) 



CERTIFIER 
TERMINAL 



DECODE 
TRANSACTION 
MESSAGE K 
EK(I) — I 



INPUT ID 
T 



TIME 



I 




DECODE ID 
D ( T, SKr) 



D(T.SKR) r 
506 



513 



CHECK ELECTRONIC 
SEAL CHECK OK IF 

W=BD(W,SKsiPKs\ 

w=fr,aio. I')) 
faro,r)''C{io,i) 
ir=T 



515 



2l 



PRODUCE 

EUECTRONIC 

SEAL 

D(W, SKR) 



D(W.SKR) 



520 

_J_ 



COPY I, 
CXW.SKS), 
D(W,SKR)INTO FILE 



CERTIFIER 



504 



514 



1-2 
OLO 

<n<(D 



522 



0 214 609 



FIG. 8 



SIGNER 



SIGNER 
TERMINAL 



CBRpFIER 
TERMINAL 



CERTIRER 



PRODUCE 
TRANSiQCTION 
Ml 



— I — ■ 



ENCX30E 
TRANSA 
j^ESSAG 



ON 



501 



509 




SEAL 
ACCEPT 
BUTTON 



502 



508 




K(J) - I 



INPUT SECRET 
KEY SKf 

ION 




INPUT ID 
T: TIME 



ENCODE D(T.SKr) 

E (D(T3<faPKR) 

OK IF T' IS OF 

PREDETERMINED 
FORM 



T 

504 



0ED30E ID 
D(T.SKr) 



506 



71 I 



HASHTOrn^ 
C( 10. 1 ) ( ~5I0 



gggXJCE CERnFICATE 
W=(VXC(IO,I)) 



51 



" > ] cao.rt = c(io.i) 



CHECK ELHHRaMIC 
SEAL 

W=E(D(W.SKs).FKs) 
W^=(V:TfC(IO.I)) 
OK IF 



514 



SEAL 

ACCEPT 

BUTTON 



CHECK ELECTRONIC SEAL 
Vr=E{p(W.SKR).PKR) 

w'={v^t'!:c(io.i^)) 

CHECK OK IF \f/^- W 



PRODUCE 

ELECTRONIC SEAL 



D (W.SKr) 



521^ 


51 


9^ 1 . 


KEEP IN 




COPir r,D(w,SKs\ 


FILE 




D(S,SKr) 






IN FILE 



520 
J_ 



COPY I,D(W,SKsi 
D(W,SKr) 
IN FILE 



515 

I 



KEEP IN 
FILE 



0 214 609 




(M 
CVJ 



SMd A3X 
0ll8nd>| AHM 
HdVdOGLLdA^ 



d3aOON3 



Q. 



liNn 

lOdlNOO 
NOIIVO 
-INniAIMOO 






00 








NOISSaddMI 




i i 

Q Q 



a: 
in 



in 



q: (t 



II Nn 
TOajJyJOO 
NOIIVO 

-\m\moio 



(n en 

is 



dBOOONB 



a 

o 



on9rw>iA3>i 

HcA;U£XlLdA80 
39VSS3IN 
AdOVON 



CVJ 

Z 



d3aO0N3 

NOissaudNi 

ATIV1/-1V3S 




7 

o 



J 



CM 



i= o 



o 
o 

L 













CLOCK 
GENERAir 



CD 

1 



q: 

UJ 

o 





a: 






CO 


a 




cr 








o 





7 



o 

m 
O 

2 



2 

CO 



5> 



I 

o 

CO 



r 



o 



0 214 609 



• SIGNER 
5010^ 



PRODUCE 
TRftNS/SCnON 
MESSAGE M 
INPUT SffiRET 
KEY SKq 



FIG. 10 

llgNER . CERT1RER 

TERMINAL TERMINAL 

5 020>^ 5040 



ENCODE M 
K 

M-EK(M) 



5030 



5100 



I 



DECODE EK(M) 
K 

EK(IVI) *- U 



CERTIRER 
50 50^ 



INPUT SECRET 
KEY SKr 

TRANSfl CnON 

ACCEPT 

BUTTON 



ggM^^ON- 
M*H(M) = (hl,h2) 



SEAL 

ACCEPT 

BUTTON 



5090 



'5060 



M*H(M) = (hl,h2) 
INPUT ID 
T TIME 



CHECK ELECTRONIC 
SEAL 

W1,=E(D(W!-SKr).PKr) 

Wl=(T',hlM/ 
CHECK O K. IF T IS 
OF PREDETERMINED 
FORMAT AND h/=hl 



I 



5C^70 



PRODUCE TJOLLY 
IMPRESSION CERTIRCATE 
DfiTA W1:r(T. hi) 



5110 



5I20> 



UJ CATE DATA 
^ W2=(T;hl,h2) 



I 



5130 -X 



PRODUCE ELECT RONIC 
TALLY IMPRESSION 
Wt D(W1 .SKR) 

^080 



PRODUCE ELECTRONIC 
SEAL 

W2 — D(W2,SKs) 



CHECK ELECTRONIC SEAL 
W2'= E(D(W2.SKs),PKs) 

OIECK OK IF 
T^= T AND 
{H\h^') Mhl,h2) 



514 0^ 



SEAL 

ACCEPT 

BUTTON 



. ^5170 

CHECK ELECTRONIC SEAL 
W2^=E(D(W2,SI<r).PKr) 

CHECK^OK IF 
"T^^AND 

(ht^h2'0= (hi,h2) 



^5150 



5t90-x 



KEEP 
FILE 



PRODUCE SEAL CERTIR- 
CATE DATA 

W2 MT.hl.h2) 



I 



PRODUCE ELECTRGNIC 
SEAL 

W2^D(W2,SKr) 



V ,^ 180 



-5200 



'5160 
5210 



RESERVE 
TRANSftCnON 
MESSflfiE AND 
ELECTRONIC SEAL 



HhltHVh 






TWVNSACTION 
MESSAGE AND 




KEEP 




FILE 


elb::irxc seal 





0 214 609 




0 214 609 



FIG. 12 



SIGNER 



INRTI 



2iOIO 



2ip 



CONRRM 
CXJVTENr Wi 
OF ELECT 
SEALNi 



W1 I 



acx:ept 
electronic 

SEAL 
Wi=>OK 



INPUT GRACE 
PERIOOTaOF 

ELECTRONIC 
SEAL N2 



212 



223 



OFELHrrRCNIC 
SEALN3 



ELECTRONIC 
SEAL 

W3 => OK 



224 



SIGNER 
ELECTRONIC 



^Rd 



2020 



209 
I 



AND 



TRONIC 
W|=D(PKr.Ni) 



/-2I3 



EEXT TRANS- 
ACTION smais 
DffTA W2 

W2-(T2,H2) 



PftOCXJCEANO 
iLBCTRONIC 




r 

214 
222 



RECEIVE AND 
DE CODE 
ELKHRONIC 
SEAL N3 
Vy3 = D(PKRjVi3 



KE EP 

ELECTRONIC 
SEAL 
N1.N2.M 



t 



225 



M 



207 



N2= 

E(SKs,W2)l 



|N3= 
(SKr.W3)I 



CjE RTinE R 
ELECTRONIC 
Ijg^^ON 



TRaNSCnON 
MESSAGE M 



2030- 



EDIT 

TRANSACTION 
STATUS OAlAWi 

W|=(Tt,Hi) 



208^^ 



PRODUCE AND 
SEND 

Ni'ECSKn.Wi) 



215 



AND 



219 



EDIT TFWNS- 
ACTlON.SWrUS 
DOIA W3 

V\^«(T3.H3) 



220^1 



PRODUCE AND 
10 




N3=E(SKr.W3) 



] 



KE EP 
^OTTWNIC 



22 



CERTinER 



CONFRM 
TRANSACTION 
MESSAGE M 



1^-2040 



ACXEFT 

TRANSACTION 

ME5SAGEM 



205 



INPUT GWXCE 
PERIOD Ti OF 
ELECTRONIC 
SEAL Ni 



206 



216 



CONRRM 
CONTENTW? J 
OFELBCTROIIC 
SEAL N2 



217 



ACCEPT 
ELECTRONIC 
SEAL 

W2=> OK 



I 



218 



INPUT GRACE 
PERIODT3 OF 
ELECTRONIC 
SEAL N3 



